FOCA – Metadata extractor for reconnaissance

When attacking any organization, some key reconnaissance the attacker look into is

  • Applications the users in the organization is using
  • Usernames
  • Operating Systems
  • Security Mechanism such as which AV Vendor

Having known this information the attacker sends an exploit which can be exploited by using some vulnerability in an application the intended persons uses.
This exploit should not be recognized by the AV the target org uses.

Generally, they use PDF exploits [zero day preferably] as most people use Adobe reader. In any well organized companies most of the critical softwares such as Adobe Reader is usually patched upto date.

So an alternate is use some other exploit that the victim uses. Some times social reconnaissance of weak users such as helpdesk can give you more information.

FOCA is one simple to use tool that downloads all the media files such as pdf, doc, xls etc., from the site and extract metacontent in those files. This information can be used maliciously by the attackers.

 

The Usernames identified can be useful for later purposes which can be username for some protected resources. Where bruteforce technique or password guessing techniques (with information from facebook, social engg) can be applied to crack into.

 

This metadata from various media files could be dangerous. There are some tools like MetashieldProtector which can be integrated to IIS which removes meta info when the files requested on a webserver.

 

 

 

 

Advertisements

About wikihead

A security freak
This entry was posted in Articles. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s